CVE-2026-2614: MLflow: path traversal allows unauthenticated file read
GHSA-42h5-h8qh-vv9v HIGH CISA: TRACK*MLflow's model version creation handler contains a path traversal flaw that allows any unauthenticated attacker with network access to the MLflow tracking server to read arbitrary files from its filesystem. The exploit requires a single crafted API request — no credentials, no prior access — making exploitation trivially achievable by a script-kiddie once the attack primitive is published. MLflow servers in typical MLOps environments hold or have access to cloud provider credentials, API keys in environment files, model weights, and proprietary training data, meaning a successful read can cascade into full cloud account compromise. Organizations should upgrade to MLflow 3.10.0 immediately; if patching cannot be done today, restrict MLflow server network exposure to trusted IP ranges only and audit recent model version creation logs for source paths outside the expected model artifact directories.
What is the risk?
HIGH for any organization running MLflow ≤ 3.9.0 with a network-reachable tracking server. The authentication bypass is complete — zero credentials required — and the exploit primitive is explicit from the CVE description, meaning weaponization time is measured in hours once public attention lands on this. MLflow's typical deployment posture (internal data-center or VPC with assumed-safe network perimeter) creates a false sense of security; lateral movement from a compromised internal host or a misconfigured security group is sufficient to reach these servers. No CVSS score is assigned yet, but the attack vector (network), privileges required (none), and impact (complete confidentiality loss) place this firmly in the 9.x Critical range under standard scoring.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| MLflow | pip | < 3.10.0 | 3.10.0 |
Do you use MLflow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Upgrade to MLflow 3.10.0 immediately — this is the only complete fix. 2) If immediate patching is blocked, restrict network access to the MLflow tracking server to explicitly allowlisted IP ranges; do not rely on VPC perimeter as sole control. 3) Review MLflow server process privileges and ensure it runs under a dedicated service account with minimal filesystem permissions (no access to ~root, ~/.ssh, ~/.aws). 4) Audit model version creation events in MLflow logs from the past 90 days; flag any CreateModelVersion requests where the source field contains paths outside expected artifact directories (e.g., /etc/, /home/, ~/.aws/, /var/secrets/). 5) Rotate all credentials that may have been accessible to the MLflow server process — cloud API keys, database passwords, service account tokens. 6) Enable authentication on MLflow tracking servers if not already in place; the default MLflow configuration ships with no authentication.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-2614?
MLflow's model version creation handler contains a path traversal flaw that allows any unauthenticated attacker with network access to the MLflow tracking server to read arbitrary files from its filesystem. The exploit requires a single crafted API request — no credentials, no prior access — making exploitation trivially achievable by a script-kiddie once the attack primitive is published. MLflow servers in typical MLOps environments hold or have access to cloud provider credentials, API keys in environment files, model weights, and proprietary training data, meaning a successful read can cascade into full cloud account compromise. Organizations should upgrade to MLflow 3.10.0 immediately; if patching cannot be done today, restrict MLflow server network exposure to trusted IP ranges only and audit recent model version creation logs for source paths outside the expected model artifact directories.
Is CVE-2026-2614 actively exploited?
No confirmed active exploitation of CVE-2026-2614 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-2614?
1) Upgrade to MLflow 3.10.0 immediately — this is the only complete fix. 2) If immediate patching is blocked, restrict network access to the MLflow tracking server to explicitly allowlisted IP ranges; do not rely on VPC perimeter as sole control. 3) Review MLflow server process privileges and ensure it runs under a dedicated service account with minimal filesystem permissions (no access to ~root, ~/.ssh, ~/.aws). 4) Audit model version creation events in MLflow logs from the past 90 days; flag any CreateModelVersion requests where the source field contains paths outside expected artifact directories (e.g., /etc/, /home/, ~/.aws/, /var/secrets/). 5) Rotate all credentials that may have been accessible to the MLflow server process — cloud API keys, database passwords, service account tokens. 6) Enable authentication on MLflow tracking servers if not already in place; the default MLflow configuration ships with no authentication.
What systems are affected by CVE-2026-2614?
This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registries, training pipelines, experiment tracking infrastructure.
What is the CVSS score for CVE-2026-2614?
CVE-2026-2614 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.70%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0025 Exfiltration via Cyber Means AML.T0035 AI Artifact Collection AML.T0037 Data from Local System AML.T0049 Exploit Public-Facing Application AML.T0055 Unsecured Credentials Compliance Controls Affected
What are the technical details?
Original Advisory
A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a `CreateModelVersion` request includes the tag `mlflow.prompt.is_prompt`, which bypasses source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. The `get_model_version_artifact_handler()` function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0.
Exploitation Scenario
An attacker targeting an organization's ML infrastructure performs reconnaissance and identifies a publicly reachable or internally accessible MLflow tracking server (common in developer environments, CI/CD pipelines, or misconfigured VPCs). Without any credentials, the attacker sends a POST request to the MLflow REST API to create a model version, embedding the tag `mlflow.prompt.is_prompt` and setting the source field to a sensitive filesystem path such as `/home/mlflow/.aws/credentials` or `/etc/environment`. The source path validation check is bypassed because the presence of the prompt tag triggers a code path that skips path sanitization. The attacker then issues a GET request to retrieve the model version's artifacts, and the `get_model_version_artifact_handler()` serves the file contents verbatim without re-validating the model version's prompt status. The attacker now holds cloud credentials and can pivot to S3 buckets, GCS, or Azure Blob Storage containing proprietary model weights and training datasets.
Weaknesses (CWE)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Primary
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Primary
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2025-15379 10.0 MLflow: RCE via unsanitized model dependency specs
Same package: mlflow CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same package: mlflow CVE-2023-2780 9.8 MLflow: path traversal allows arbitrary file read/write
Same package: mlflow CVE-2023-1177 9.8 MLflow: path traversal allows arbitrary file read/write
Same package: mlflow CVE-2026-2635 9.8 mlflow: security flaw enables exploitation
Same package: mlflow